IDS mailing list archives
Re: Question on resources needed to manage IDSes
From: "Andy Cuff [Talisker]" <lists () securitywizardry com>
Date: Mon, 1 Dec 2003 22:45:23 -0000
Hi Ken, I'd suggest that there is no metric to define resources required to manage an IDS. It depends on many factors not least of which are Type of IDS Signature policy, do you watch for everything or just intrusions Is there an event correlation and/or severity reduction tool Size of network monitored How well behaved is the user community or is it a University :o( Do you have a big stick to beat them when they're naughty (it makes a difference) How secure are the underlying hosts that you're watching Is the IDS internal or external Type of IDS (have I said that) Are you filtering at the border router. Are you watching 24/7 How many resources can you throw at false positive reduction Also look at sys admins to support/deploy/update the sensors and a DBA to look after the databases - especially important for certain IDS Who writes the signatures and what about research and development Who responds to the alerts, with so many sensors it would be sensible to have an elevation mechanism where the front line triage can pass the more serious / harder to resolve alerts Bottom Line "suck it and see" start small and build up, build up gradually making sure you don't bite off more than you can chew, catching up is far more difficult than keeping up. I hope this helps, sorry if you feel my comments are in anyway negative but I'm older than my years because I didn't consider the above take care -andy Talisker Security Tools Directory http://www.securitywizardry.com ----- Original Message ----- From: <kgeorgiades () toplayer com> To: <focus-ids () securityfocus com> Sent: Monday, December 01, 2003 3:16 PM Subject: Question on resources needed to manage IDSes
Everyone seems to be talking about the large volume of alarms and logs produced by IDSes. Managing IDSes and dealing with false alarms seems to be an issue that all IDS vendor are trying to address. Has any one of you seen any data on how many analysts (resources) are
needed
to manage IDSes in enterprises? I am looking for a rule of thumb, something like this: 1-5 IDS sensors - 1 Analyst 5-15 IDS sensors -2 Analysts 15-50 IDS sensors- 3 Analysts 1 Analyst for every 30 additional IDS sensors. I will appreciate any feedback that I can get. Thanks, Kyriacos (Ken) Georgiades Senior Director, Product Line Management Top Layer Networks, Inc Tel: 508 870 1300 x 231 Cell: 508 783 5988 Fax: 508 870 9797 Email: kgeorgiades () toplayer com www.toplayer.com --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
-
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Question on resources needed to manage IDSes kgeorgiades (Dec 01)
- Re: Question on resources needed to manage IDSes Peter Schawacker (Dec 01)
- Re: Question on resources needed to manage IDSes Andy Cuff [Talisker] (Dec 01)
- Re: Question on resources needed to manage IDSes Jack Whitsitt (jofny) (Dec 02)
- <Possible follow-ups>
- Re: Question on resources needed to manage IDSes simonis (Dec 02)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 02)
- Re: Question on resources needed to manage IDSes Anton A. Chuvakin (Dec 09)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 10)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 02)
- Re: Question on resources needed to manage IDSes Terence Runge (Dec 02)
- RE: Question on resources needed to manage IDSes Kohlenberg, Toby (Dec 03)
- RE: Question on resources needed to manage IDSes Teicher, Mark (Mark) (Dec 03)
- RE: Question on resources needed to manage IDSes Morse, Greg (Dec 03)
- RE: Question on resources needed to manage IDSes Teicher, Mark (Mark) (Dec 10)